mirror of
https://github.com/Tivix/django-rest-auth.git
synced 2024-12-02 05:43:44 +03:00
Merge pull request #94 from chrsz/feature/jwt_secure_samesite
Added other optionals settings variables to JWT cookie
This commit is contained in:
commit
9dbbef4640
5
.gitignore
vendored
5
.gitignore
vendored
|
@ -107,4 +107,7 @@ venv.bak/
|
|||
# mypy
|
||||
.mypy_cache/
|
||||
demo/react-spa/node_modules/
|
||||
demo/react-spa/yarn.lock
|
||||
demo/react-spa/yarn.lock
|
||||
|
||||
# Visual Studio Code
|
||||
.vscode/
|
||||
|
|
|
@ -86,6 +86,9 @@ class LoginView(GenericAPIView):
|
|||
response = Response(serializer.data, status=status.HTTP_200_OK)
|
||||
if getattr(settings, 'REST_USE_JWT', False):
|
||||
cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None)
|
||||
cookie_secure = getattr(settings, 'JWT_AUTH_SECURE', False)
|
||||
cookie_httponly = getattr(settings, 'JWT_AUTH_HTTPONLY', True)
|
||||
cookie_samesite = getattr(settings, 'JWT_AUTH_SAMESITE', 'Lax')
|
||||
from rest_framework_simplejwt.settings import api_settings as jwt_settings
|
||||
if cookie_name:
|
||||
from datetime import datetime
|
||||
|
@ -94,7 +97,9 @@ class LoginView(GenericAPIView):
|
|||
cookie_name,
|
||||
self.access_token,
|
||||
expires=expiration,
|
||||
httponly=True
|
||||
secure=cookie_secure,
|
||||
httponly=cookie_httponly,
|
||||
samesite=cookie_samesite
|
||||
)
|
||||
return response
|
||||
|
||||
|
|
|
@ -48,6 +48,9 @@ Configuration
|
|||
|
||||
- **REST_USE_JWT** - Enable JWT Authentication instead of Token/Session based. This is built on top of djangorestframework-simplejwt https://github.com/SimpleJWT/django-rest-framework-simplejwt, which must also be installed. (default: False)
|
||||
- **JWT_AUTH_COOKIE** - The cookie name/key.
|
||||
- **JWT_AUTH_SECURE** - If you want the cookie to be only sent to the server when a request is made with the https scheme (default: False).
|
||||
- **JWT_AUTH_HTTPONLY** - If you want to prevent client-side JavaScript from having access to the cookie (default: True).
|
||||
- **JWT_AUTH_SAMESITE** - To tell the browser not to send this cookie when performing a cross-origin request (default: 'Lax'). SameSite isn’t supported by all browsers.
|
||||
- **OLD_PASSWORD_FIELD_ENABLED** - set it to True if you want to have old password verification on password change enpoint (default: False)
|
||||
|
||||
- **LOGOUT_ON_PASSWORD_CHANGE** - set to False if you want to keep the current user logged in after a password change
|
||||
|
|
Loading…
Reference in New Issue
Block a user